More and more companies are appointing chief risk officers to manage risks throughout the organization. A few are embracing risk-management techniques to gain a competitive edge.
What started as a trickle in the financial services industry a few years ago has become a stream of news releases from a broad range of companies announcing that they are filling the new position of chief risk officer, or CRO. Partly in response to corporate scandals and ensuing regulatory requirements, hundreds of companies worldwide have named senior-management level CROs to identify and respond to risks that cut across the entire enterprise. The increased focus on corporate governance and a heightened awareness of danger in the world after September 11 are spurring companies to improve their measurement and handling of financial and operational risks.
Prakash Shimpi: “Every company needs a chief risk officer”
“Deciding what risks you want to take is so vital to the future of a company that it should not be done on an ad hoc basis,” says Prakash Shimpi, president of Fraime, a New Jersey-based management consultant. While bankers have become familiar with the concept of risk-based capital, managers of industrial companies are only beginning to understand what is at stake, says Shimpi, former CEO of Swiss Re Financial Services. “I could argue that every company needs a chief risk officer,” he says. Enterprise risk management techniques, implemented by CROs, enable companies to increase transparency, safeguard shareholders’ interests and mitigate risks while making the most productive use of their capital, according to panelists at a recent discussion hosted by New York-based rating agency Standard & Poor’s, the Society of Actuaries, and the Casualty Actuary Society (CAS). The actuarial organizations are leading an effort to promote the role of the CRO in insurance, banking, asset management, energy and healthcare companies, as well as government agencies.
Actuaries have a set of skills that make them the most logical and experienced candidates for the position of CRO, says Don Mango, vice president of research at the CAS and director of research and development at Missouri-based GE Employers Reinsurance. “Enterprise risk management, or ERM, is the science of a well-run profession, not a fad,” Mango says. “Actuaries assess the economic impact of uncertain future events and communicate options to people in a company who make the decisions,” he says.
The emergence of this high-level position has been swift. A global survey of 100 top insurance companies released by Ernst & Young in May 2004 found that 25% have a full-time CRO. But of the insurance companies with CROs, 78% said the position had existed for less than three years, according to the survey.
The Culture of Risk Management
Mark Griffin, CRO at Genworth Financial, the Richmond, Virginia-based insurance company spun off from General Electric in May 2004, says risk management is part of Genworth’s culture. “ERM has added value to our business,” Griffin says. “I am not looked on as the evil participant at every meeting.” On a recent road show for the company’s initial public offering, senior executives focused on Genworth’s ERM framework as a way to distinguish it from competitors and express its competitive advantage.
Financial services companies regard risks to their reputation as the greatest threat to their market value, according to a survey of 130 senior executives in financial institutions worldwide. The study, conducted in June and July 2004 by PricewaterhouseCoopers and the Economist Intelligence Unit, found that 82% of those surveyed agreed that awareness of risk is now more pervasive in their organization than it was two years ago. The study also found, however, that risk management remains primarily focused on meeting regulatory requirements and only secondarily on protecting and enhancing the value of a company.
In most cases, compliance capabilities are not being turned to competitive advantage. Most financial services companies surveyed rely on some measure of risk-adjusted capital, for example, but many are failing to turn this to their advantage by setting more-appropriate product pricing, according to the study. Risk management also tends to focus on quantifiable risks, such as credit and market risks, which are not necessarily the most significant risks but are easier to control than some other types of risk. “In an environment where new and potentially lethal risks can suddenly emerge, institutions need to look at the bigger picture,” says Shyam Venkat, partner at PricewaterhouseCoopers. Too few companies are concentrating on understanding the totality of the risks they face in order to give themselves a competitive advantage, Venkat says. “Less-quantifiable forms of risk can do as much, if not more, damage to companies’ reputations, shareholder value and the long-term sustainability of their business as the more straightforward types of risk,” he adds. Companies need to have crisis-management processes in place to cope with submerged risks when they suddenly surface, Venkat points out.
Douglas Brooks: “Companies need to develop and test scenarios”
There is strategic value in the information generated in meeting compliance requirements, Shimpi says. “The mathematics exists and the information technology exists to enable companies to run multi-variable scenarios in seconds,” he says. “Companies can analyze the data and use it as the basis for taking action to get rewards.”
CRO Role Is Still Evolving
The definition and role of the CRO is still evolving as companies seek to strengthen risk oversight and increase operating performance. Many CROs report to the chief financial officer, although direct reporting to the board is becoming more common. The CRO and the CFO positions are both needed, Shimpi says, because these executives work together as a system of mutual checks and balances.
The CRO’s main objective, he says, is to maximize the return on capital by optimizing risk while ensuring that exposures are controlled and can be supported by the company’s capital resources. “The basic decision about risk is whether to keep it or move it,” Shimpi says. The company that buys insurance has lower current earnings, he says, but that insurance policy could be the one thing that protects shareholders from the risk they are most concerned about.
While financial services companies were among the first to adopt ERM techniques and appoint CROs, the energy industry wasn’t far behind. Charlotte, North Carolina-based Duke Energy named Richard J. Osborne its first CRO in May 2000. The company decided it needed a CRO when it realized that half of its revenues were coming from commodity positions. Osborne, who had been Duke Energy’s CFO, was named executive vice president and CRO. In addition to corporate risk management, the CRO organization at Duke Energy includes strategic planning and development and Duke Ventures. The latter comprises a finance company, a real estate subsidiary and a telecommunications business.
In May 2002 Duke Energy and a group of other energy companies formed the Committee of CROs to develop commonly understood and accepted risk-management practices. The effort to identify capital at risk in the industry followed the increased scrutiny put on energy trading in the wake of the California power crisis and the fall of Enron in December 2001. The committee and its working groups are helping to create new netting agreements and clearing platforms that can reduce the industry’s collateral requirements.
Energy companies are also working on their own to centralize risk-management functions of all business lines and to maintain strong internal controls. In June 2004 Minneapolis, Minnesota-based NRG Energy, which owns a portfolio of power-generating facilities, primarily in the US, named J. Philip Chesson to the newly created senior management position of CRO, reporting to the CFO. Chesson is charged with measuring the company’s risk from a corporate-portfolio standpoint and developing strategies to help manage that risk. “There is a competitive advantage to looking at risk in a consistent way across an entire enterprise,” Chesson says. “Different business lines may be operating under different assumptions about growth, interest rates and other factors.”
It’s not enough for a company just to name a CRO, Chesson says. The company must engage in the practice of risk management with the CRO providing discipline. “We ask questions such as ‘Could the price fall as low as this?’ and ‘Do we have enough capital reserves so that when something does happen we will survive?’”
NRG Energy emerged from Chapter 11 bankruptcy on December 5, 2003, after eliminating $6 billion of debt and other liabilities and refinancing another $2.7 billion of debt at competitive rates with extended maturities. The company’s financial troubles began in October 1999, when it signed a four-year contract to supply power to Connecticut Light and Power. A subsequent increase in the price of power resulted in a major drain on NRG Energy’s finances. To manage such commodity risk, NRG Energy now locks in future margins when it sells power forward through contracts. “This strategy enables us to enjoy stable returns while still giving us the opportunity to take advantage of higher returns when they are available,” Chesson says.
While financial and energy companies have been among the first to adopt enterprise-wide risk-management techniques, any company can benefit when a CRO becomes involved early in the decision-making process, says Venkat. “Risk is universal. Manufacturing companies must comply with environmental laws, for example, that put them at risk for how they dispose of waste,” he says. “The impact of risks that come home to roost may be disproportionate to the amount of actual loss involved,” Venkat says. “The bigger impact could be on a company’s reputation and customer loyalty.”